The M&S Cyberattack

ITAM News & Analysis

The M&S Cyberattack: How IT Asset Management Can Make or Break Your Recovery

16 May 2025

5 minute read

AJ Witt

Marks & Spencer (M&S), the iconic UK retailer, recently became the latest high-profile victim of a devastating cyberattack. Fellow retailers The Co-Op and Harrods were also attacked. Recent reports suggest the rapid action at the Co-Op meant the damage was nowhere near as bad as M&S. Whilst, last weekend, I couldn’t get popcorn and snacks for a family movie night from my local Co-Op, it expects I’ll be able to get a full range of unhealthy items in time for Eurovision this weekend.

The imminent future for M&S is less rosy – perhaps they’re ready to score “null points” – as reports confirm customer data (including names, addresses, and order histories) was stolen, and click-and-collect services were frozen. It’s estimated this is costing them £40 million per week in lost sales alone. The final recovery bill, particularly given that sensitive customer data breach, could easily stretch into the billions.

The breach has reinforced a hard truth – the retail sector with its rapid turnover of staff and huge parts of the network exposed in public-facing deployments – is particularly vulnerable. You can’t secure what you can’t see, and this why ITAM is perhaps an overlooked weapon in cyber defence and recovery.

ITAM: The Unsung Hero in Cyber Recovery

ITAM may not grab headlines like firewalls or AI threat detection, but it’s a critical role in recovering from a major breach. When an attack hits, an organisation must answer three urgent questions: What do we have? Where is it? What’s been compromised?

A comprehensive ITAM program delivers that clarity by providing a detailed, real-time inventory of every hardware device, software application, license, and configuration across the organisation. Increasingly, that inventory is stored in a cloud service, which may have been less vulnerable.

For M&S, effective ITAM could have:

Accelerated Isolation of Affected Assets: Knowing exactly which servers, endpoints, or cloud services were exposed would have enabled faster containment of the breach. Reports suggest The Co-Op “pulled the plug” – indicating they had rapid oversight of compromised networks and devices.
Streamlined Patch & Vulnerability Management: ITAM ensures software versions and patch levels are tracked, making it easier to prioritise critical updates and mitigate further risk. Unpatched devices can end up costing billions – just ask Equifax.
Efficient Disaster Recovery: Recovery from backups or system images only works if you know what the “gold standard” configuration was pre-attack. ITAM data acts as the blueprint. Critically, it will have data relating to both users and devices.

The Cost of Not Knowing

The financial and operational impact of major cyberattacks is well documented. The Equifax breach of 2017—where poor asset visibility contributed to attackers exploiting an unpatched server—cost the company $1.4 billion+ in penalties, remediation, and lost business. Similarly, when Maersk was hit by the NotPetya ransomware attack, lack of visibility into IT assets forced a full network rebuild from scratch. The recovery bill: around $300 million, plus reputational damage and weeks of business disruption.

In the case of Maersk, ITAM data proved critical. Engineers were able to find a server that was the equivalent of Ant Man during “The Blip” – it happened to be offline in Lagos (as opposed to the quantum realm) and as a Domain Controller, it contained the only complete picture of the Maersk estate pre-hack.

While M&S’s full recovery cost has yet to be revealed, industry experts estimate large-scale cyber incidents typically cost anywhere from £100 million to £500 million once direct losses, regulatory fines, legal fees, system rebuilds, and customer churn are accounted for. M&S will likely be at the high end of that because customer data, including order history, was exposed. Consider this: Some hackers now know if you’re a ‘luxury lingerie and champers’ type or more of a ‘practical pants and oat biscuits’ kind of customer. There’s probably scope for a “Love Actually Scarf” awkward conversation in there somewhere too.

Prevention is Even Better

The role of ITAM isn’t just about triage and recovery. Proactive asset management helps prevent breaches in the first place by:

Monitoring for unauthorised devices or rogue software installations.
Enforcing secure baseline configurations.
Providing the foundation for security audits and compliance reporting.

Simply put: if you can’t see it, you can’t secure it.

It’s a Wake-Up Call – Don’t let your organisation be next. Step up, skill up, and be the bridge between ITAM and Security.

Check our the newly launched LISA course, Cybersecurity & ITAM.

You’ll gain insights into identifying vulnerabilities, managing asset lifecycles, ensuring compliance, and supporting proactive security measures.

NEW Course for LISA customers

It’s a course that combines technical concepts with real-world practices to build a strong knowledge foundation.

The M&S Cyberattack: How IT Asset Management Can Make or Break Your Recovery